TY - JOUR
AU1 - Lombardi, Federico
AU2 - Fanton, Alberto
AB - Software engineering is evolving quickly leading to an urgency to discover more efficient development models. DevOps and its security-oriented extension DevSecOps promised to speed up the development process while ensuring more robust code. However, many third-party libraries and infrastructure vulnerabilities may still pose security flaws. Besides, regulatory compliance and standards go beyond  secure software asking for comprehensive security and accurate infrastructure hardening. Thus, we may wonder: is DevSecOps enough? In this paper, we propose CyberDevOps, a novel architecture which integrates cybersecurity within DevSecOps. Specifically, (i) we revise software composition analysis to deal with nondeterministic environments and (ii) we incorporate vulnerability assessment and compliance within a further pipeline step. To assess the effectiveness of CyberDevOps, we conduct an experimental evaluation. Specifically, we attack a web application and we show how CyberDevOps is able to detect hidden defects while a standard DevSecOps pipeline fails. Furthermore, we assess code quality and security by comparing DevOps, DevSecOps, and CyberDevOps by monitoring two Conio code bases over a year. The results show that CyberDevOps helps to fix up to 100% of known bugs and vulnerabilities and improve significantly the code quality.
TI - From DevOps to DevSecOps is not enough. CyberDevOps: an extreme shifting-left architecture to bring cybersecurity within software security lifecycle pipeline
JF - Software Quality Journal
DO - 10.1007/s11219-023-09619-3
DA - 2023-06-01
UR - https://www.deepdyve.com/lp/springer-journals/from-devops-to-devsecops-is-not-enough-cyberdevops-an-extreme-shifting-3RM0MQD5Ux
SP - 619
EP - 654
VL - 31
IS - 2
DP - DeepDyve
ER -